An intrusion detection system offers means for detecting the suspicious activity of an operating system employed on a device. A number of types of activities or intrusions can be detected, such as intrusions compromising the confidentiality of data such as the theft of data or seeking data the existence of which is not necessarily known to the attacker, intrusions compromising the integrity of data such as the illicit modification of data or the introduction of malware, or intrusions compromising the availability of data or services such as the illicit destruction of data or the illicit modification of the rights of access of the users of the device to data or services.
These means for detecting the suspicious activity are notably useful for identifying the attackers and the modifications carried out and also for determining the necessary corrections of the software modules ensuring the security of the operating system so as to limit future intrusion.
The detection of the suspicious activity of a system is generally the result of the analysis of the behavior of that system and more particularly of the analysis of the events generated by the applications and processes of that system. As the quantity of data to be analyzed can be large, automatic analysis methods are employed. There exists a plurality of approaches to detecting the suspicious activity of an operating system.
A first or behavioral approach is founded on the principle that the exploitation of a vulnerability of the system leads to an abnormal behavior of the system. That approach is initially described in the paper by J. P. Anderson, “Computer Security Threat Monitoring and Surveillance”, ACM, 1980. Such behavior corresponds for example to a large number of unsuccessful connection attempts or to an abnormal use of certain resources of the system. Statistical methods may be used to characterize normal and abnormal behaviors of the system. Of those methods, the Denning model characterizes the behavior of a system notably as a function of the user of the system, the resources of the system, the actions of the user on the resources of the system, the usual behavior of the user of the system or records logging abnormal activities of the system. The behavior of a system can also be characterized by a set of logical rules applied by an expert system, for example, or by detected system event classification methods.
A second or scenario-based approach defines the behavior of an attacker with the aid of a set of rules. That approach is described for example in the paper by Paul Helman, Gunar Liepins, and Wynette Richards “Foundations of Intrusion Detection”, IEEE Computer Security Foundations Workshop, 1992. That approach can detect only scenarios that have been formalized. Note that, for example, it is implemented either by an expert system notably including a set of logical rules defining the security policy of the system and a set of logical rules defining the vulnerabilities of the system or by genetic algorithms.
However, these intrusion detection systems can be inhibited by an attacker or malware having sufficient access rights. This risks leading to the partial or total deactivation of the intrusion detection system.
In this case, the known solutions do not offer sufficient security since they do not make it possible to detect that an intrusion detection system has been deactivated, for example in order to reactivate it. The attacker or the malicious program is then in a position to carry out attacks exploiting the vulnerabilities previously referred to without the system being in a position to detect them.